HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Russian Hackers Phish Signal and WhatsApp Accounts of Officials, U.S. Offers $10 M Bounty

Russian‑linked groups UNC5792 and UNC4221 are stealing Signal and WhatsApp backup keys to hijack thousands of high‑profile accounts. The U.S. has placed a $10 million reward on information leading to the actors, highlighting the need for robust security‑awareness controls in SOC 2 programs.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Russian Hackers Phish Signal and WhatsApp Accounts of Officials, U.S. Offers $10 M Bounty

What Happened — Russian‑linked groups UNC5792 and UNC4221 have been using sophisticated phishing campaigns against Signal and WhatsApp to steal users’ backup recovery keys and hijack accounts. The attacks have compromised thousands of accounts belonging to government officials, diplomats, journalists and other high‑value targets. The U.S. Department of State’s Rewards for Justice program is offering up to $10 million for information that leads to the identification of the actors.

Why It Matters for Compliance & Audit Readiness

  • Phishing that harvests authentication material bypasses technical controls; SOC 2 access‑control policies must require strong user‑training and verification of device‑linking procedures.
  • Continuous evidence of security‑awareness training and simulated phishing tests provides audit‑ready proof that the organization mitigates social‑engineering risk.
  • Mapping this threat to the SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls demonstrates due diligence in protecting confidential communications.

Who Is Affected – Government agencies, diplomatic missions, defense and intelligence partners, investigative journalists, NGOs supporting Ukraine, and academic researchers (primarily GOV_PUBLIC and MEDIA_ENT sectors).

Recommended Actions

  • Incorporate secure‑messaging device‑linking workflows into your security‑awareness curriculum and test them with regular phishing simulations.
  • Enforce multi‑factor authentication and recovery‑key management policies for any corporate‑approved messaging apps.
  • Document training completion and phishing‑test results as part of your SOC 2 evidence repository.

Source: Security Affairs

Technical Notes – Attack vector: social‑engineering/phishing; exploits legitimate device‑linking features in Signal and WhatsApp to capture backup recovery keys. No vulnerability (CVE) disclosed. Compromised data includes past conversation history, contact lists and the ability to launch further phishing from hijacked accounts. Source: same as above

📰 Original Source
https://securityaffairs.com/194441/security/u-s-offers-10-million-reward-for-russian-hackers-behind-signal-and-whatsapp-phishing.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →